EU: EU agrees US demands to re-write data protection agreement, by Tony Bunyan
01 October 2008
Having got its way in a series of EU-US treaties on justice and home affairs cooperation, the USA is now seeking to permanently circumvent the EU’s “problematic” privacy laws
Since 11 September 2001 the EU and the USA have concluded six agreements covering justice and home affairs issues: 1:Europol (exchange of data); 2: Mutual assistance; 3: PNR (passenger name record); 4: SWIFT (all financial transactions, commercial and personal) 5: Extradition; and 6: Container Security Initiative (CSI). The first four involve the exchange of personal information on individuals.[1] All have been controversial with the one on PNR going to the European Court of Justice with the result that its legal basis had to be changed.
Having to negotiate each agreement individually with many of the same problems raising their head each time was not to the USA’s liking. One such “problem” is the lack of redress available to EU citizens under the US Privacy Act (which only gives rights to its own citizens) against the misuse of their personal data. Nor did it like the adverse publicity. In July 2007 the US government wrote to the Council of the European Union asking it to agree that all the documents regarding the negotiations leading to the controversial new EU-US PNR (passenger name record) agreement be kept secret:
for at least ten years after the entry into force of the agreements.[2]
What the US wanted was an over-arching treaty authorising all future agreements of this kind. So on 6 November 2006 a EU-US High Level Contact Group on information sharing and privacy and personal data protection was set up – with its brief drafted by the USA. Its terms of reference were to carry out:
discussions on privacy and personal data protection in the context of the exchange of information for law enforcement purposes as part of a wider reflection between the EU and the US on how best to prevent and fight terrorism and serious transnational crime.
On 28 May 2008 the Group produced its Final report and on 12 December the US and EU Justice and Home Affairs Ministerial meeting in Washington declared that negotiations were to start on a "binding international agreement as soon as possible."
However, unreleased EU documents show that prior to this meeting there were major reservations about US demands and further that COREPER (the high-level committee of permanent Brussels-based representatives from each of the 27 Member States) wanted to:
rethink the EU input in all areas of the transatlantic dialogue.
EU-US High level group report
The report sets out 12 very general “Principles”. Its scope cover:
”law enforcement purposes”, meaning use for the prevention, detection, investigation or prosecution of any criminal offence.(emphasis added)
Thus "any criminal offence" however minor, is affected. Nor is there any guarantee EU citizens will be informed that data and information on them has been transferred to the USA or to which agencies it has been passed or give them the right to correct it.
The agreement would apply to individual requests and automated mass transfers and allow the USA to give the data toany third state "if permitted under its domestic law”.
As Barry Steinhardt of the ACLU commented the 1974 US Privacy Act only applies to US citizens and there is:
no oversight or legal protections for non-U.S. persons… We believe that this situation clearly violates European legal requirements for the fair and lawful processing of personal information.
EU’s major reservations
A Note from the Council Presidency (15307/08, dated 7 November 2008) sent to COREPER raised alarm bells about how the negotiations were proceeding.
It said that at the EU-US Senior Officials Troika on 30-31 July 2008 the USA raised again their proposal of: “a political declaration to cover the interim period” before the international agreement was adopted. The EU side rejected this idea but at another EU-US meeting on 6 October 2008 it was raised again.
The Council Presidency and the Commission agreed that the EU-US JHA Ministerial Troika meeting in Washington on 12 December 2008 should consider the possibility of a declaration but in view of EU data protection rules:
it would not be possible to implement such a declaration, especially with respect to third parties
On 17 October 2008 the EU “forwarded a draft declaration” to the US. However, at the beginning of November the US replied with “an alternative text, which reflects a different approach”.The US had added five new “Principles”, which:
can hardly be put on the same level as the principles agreed in May.
These new “Principles” introduced by the US included protection for “private entities” and the:
equivalent and reciprocal application of data protection regulations, avoidance of any adverse impact on relations with third countries.
Moreover, the:
wording on the outstanding issues listed in the final report differ significantly [from text in May 2008]
The Council Presidency concluded that it was “not possible in a political declaration, to bring about the effects expected by the US side”, especially as they expected such a declaration to have “legal effects during the interim phase.”
12 December 2008 - Washington
The headline news from the EU-US Ministerial meeting on 12 December was a statement that a legally binding international agreement would be put in place – though after, and if, the Lisbon Treaty is adopted. The EU side also put on record that there were two issues outstanding: the lack of legal recourse for non-US people under US law and a ban or restriction on passingon data to third countries (Agence Europe, 15.12.08).
However, the detailed statement issued is more revealing. First, they agreed to: “ensure the continuation of law enforcement exchanges and practices between the United States and the EU” until such time as a binding agreement is in place – which may take over a year. No indication is given whether these “exchanges” simply refer to the legal agreements already in place or to law enforcement “exchanges” in general – it if means thelatter then the US side has, in effect, got an interim agreement.
Second, and most significantly, it sets out the new “Principles” introduced by the US in November 2008 – their incorporation was agreed at the High Level Contact Group on 9 December. Yet these are the very same new “Principles” that the EU had said:
“can hardly be put on the same level as the principles agreed in May.”
They include 1) ensuring there is no “adverse impact on private entities” which should be “avoided to the greatest possible extent”; 2) “preventing an undue impact on relations with third countries” by avoiding:
putting third countries in a difficult position because of differences relating to data privacy including legal and regulatory requirements.
3) “mutually-recognised conflicts of law” should be sorted outusing “specific conditions”; 4) the two sides are to resolve “matters arising from divergent legal and regulatory requirements”. The High Level group still has to resolve the issue of redress under US law and the “reciprocal application of data privacy law”.
Each of these new “Principles” would undermine those agreed in the final report of 28 May 2008 – and “Principles” One and Two (above) would drive a “coach and horses” through the legitimacy of any international agreement. The EU, having setout strong reservations ended up – as usual – substantially acceding to US’s changing demands.
Re-thinking EU-US relations
It has been apparent for years to observers able to get access to unreleased EU documents that EU-US meetings are one-sided affairs with the US side making all the running.[3] Now it seems the Council of the European Union (representing the 27 governments) is getting concerned too.
A newly-formed Council Working Party, JHA-RELEX AdHoc Support Group (JAIEX), discussed a Note from the Council Presidency in December (EU doc no: 17136/08) the:
broad feeling among many in the past years that it was essentially left to the United States to determine what was on the agenda of EU-US relations and that the EU has been insufficiently strong to set its own objectives, its own requests and where appropriate, also its own "red lines".
This belated realisation is particularly significant in the light of the recommendation from the Future Group for the new JHA “Stockholm Programme” that by 2014 there should be a decision on the creation of a:
Euro-Atlantic area of cooperation with the USA in the field of Freedom, Security and Justice.
This goes way beyond the existing mechanisms for cooperation. The USA would be sitting at the table with a very powerful voice and its demands and influence hidden from public view.[4]
Sources
1 The agreements on extradition and mutual assistance have yet to come into effect.
2 See:
http://www.statewatch.org/news/2007/sep/02eu-usa-pnr-secret.htm
3 EU/US security “channel” - a one-way street?
http://www.statewatch.org/news/2008/aug/03eu-usa-sw-art.htm
4 See: The Shape of Things to Come - the EU Future Group:
http://www.statewatch.org/analyses/the-shape-of-things-to-come.pdf